1. Field of the Invention
The present invention relates to an authentication system and authentication method for performing authentication of a wireless terminal that issues an authentication request to an authentication server connected to a communication network through a wireless base station and, more particularly, to an authentication system and authentication method in which an authentication server uses an RAS (Remote Access Service) unique information unique to a wireless base station to perform authentication of a wireless terminal.
2. Description of the Related Art
As a conventional system for performing authentication of a wireless terminal, there is known one in which a wireless terminal issues an authentication request including authentication information such as user ID (identification) and password to a wireless base station, and the wireless base station performs an authentication determination for the received authentication request or asks an authentication server in which authentication information has been registered for the authentication determination to thereby accept or reject an access of the wireless terminal to a network service.
As a conventional system for performing authentication of a wireless terminal, a typical authentication system disclosed in Patent Document 1 (JP-2002-324052-A) will be described below with reference to FIG. 5.
A system for performing authentication of a wireless terminal shown in FIG. 5 includes a first wireless base station #1, a second wireless base station #2, a third wireless base station #3, a wireless terminal 21, an authentication server 31, and a communication network 41.
The first wireless base station #1 (wireless base station 11) includes a wireless interface section 12, an authentication processing section 14, a filtering table 15, a filtering section 16, and a wired interface section 17.
The second and third wireless base stations #2 and #3 have the same configuration as that of the wireless base station 11 and, as shown in FIG. 5, a plurality of wireless base stations are connected to the communication network 41.
The wireless base station 11 is connected to the authentication server 31 through the communication network 41. Upon receiving an authentication request including authentication information such as user ID and password from the wireless terminal 21, the wireless base station 11 asks the authentication server 31 in which authentication information has been registered for the authentication determination to thereby accept or reject an access of the wireless terminal 21 to a network service.
When the wireless terminal 21 is once authenticated by the authentication server 31 and access to a communication network is allowed, the wireless base station 11 stores the terminal ID of the wireless terminal 21 in the filtering table 15. That is, the acceptance/rejection determination for the wireless terminal 21 to be performed within the wireless base station 11 is made based on whether the terminal ID stored in the filtering table 15 coincides with the received terminal ID.
The wireless interface section 12 of the wireless base station 11 performs wireless communication with the wireless terminal 21 to exchange packets therewith. Then, the wireless interface section 12 determines whether a received packet is a wireless connection request packet. If the received packet is the wireless connection request packet, the wireless interface section 12 extracts authentication information and terminal ID from the received wireless connection request packet. If the received packet is not the wireless connection request packet, the wireless interface section 12 extracts terminal ID from the received packet.
If a received packet is a wireless connection request packet, the authentication processing section 14 acquires authentication information and terminal ID from the wireless interface section 12, generates an authentication request packet including the received authentication information, and transmits the generated authentication request packet to the authentication server 31 through the wired interface section 17 and communication network 41.
The authentication processing section 14 receives an authentication reply from the authentication server 31 through the communication network 41 and wired interface section 17. If the authentication reply indicates “authentication acceptance”, the authentication processing section 14 stores the terminal ID in the filtering table 15 and transmits a wireless connection acceptance packet to the wireless terminal 21. If the authentication reply indicates “authentication rejection”, the authentication processing section 14 does not store the terminal ID in the filtering table 15 but transmits a wireless connection rejection packet to the wireless terminal 21.
The outline of operation of the entire wireless terminal authentication system shown in FIG. 5 will next be described.
First, the wireless terminal 21 issues a network connection request to the authentication server 31 connected to the communication network 41 through the wireless base station 11.
In this case, the wireless base station 11 acquires authentication information and terminal ID from a wireless connection request packet including the authentication information which is transmitted from the wireless terminal 21 and transmits the acquired information in the form of an authentication request packet to the authentication server 31.
After acquiring the authentication information from the authentication request packet transmitted from the wireless base station 11, the authentication server 31 checks authentication information that has previously been registered in an authentication information management table 32 provided in the authentication server 31 to determine where there is authentication information coinciding with the acquired authentication information.
If there is no authentication information coinciding with the acquired authentication information in the authentication information management table 32 of the authentication server 31, the authentication server 31 determines “authentication rejection” for the wireless terminal 21. On the other hand, if there is authentication information coinciding with the acquired authentication information, the authentication server 31 determines “authentication acceptance”.
If it is determined to be “authentication acceptance”, the authentication server 31 generates an authentication acceptance reply packet and transmits the generated authentication acceptance reply packet to the wireless base station 11. On the other hand, if it is determined to be “authentication acceptance”, the authentication server 31 generates an authentication rejection reply packet and transmits the generated authentication rejection reply packet to the wireless base station 11.
If the wireless base station 11 receives the authentication acceptance reply packet, it transmits a wireless connection acceptance replay packet to the wireless terminal 21. On the other hand, if the wireless base station 11 receives the authentication rejection reply packet, it transmits a wireless connection rejection replay packet to the wireless terminal 21.
As described above, the wireless terminal 21 that has received the wireless connection acceptance packet can be connected to the communication network 41 through the wireless base station 11 and can perform communication with a device connected to the communication network 41. On the other hand, with regard to the wireless terminal 21 that has transmitted authentication information that does not coincide with the authentication information registered in the authentication information management table 32 of the authentication server 31, connection to the communication network 41 is rejected for the purpose of preventing unauthorized use of the wireless terminal (see Patent Document 1).
In the authentication system disclosed in Patent Document 1, unauthorized use of the wireless terminal can be prevented by deleting the authentication information of the relevant wireless terminal from the authentication information management table 32 of the authentication server 31, even if a given wireless terminal is stolen or lost. However, in the case where a given wireless terminal is shared by a plurality of users, it is difficult to identify when, where, and by whom the terminal is used. Thus, in the case of theft or loss, it takes a long time to find out the unauthorized use. For this reason, the above authentication system can be said to be vulnerable to the unauthorized use.
Here, there is known a method in which authentication information and validity period for authentication are registered in the authentication information table 32 of the authentication server 31 in association with each other. In this method, in the case where the wireless terminal 21 issues a connection request within a given authentication validity period and authentication acceptance is determined, the authentication validity period is updated for prolonged use.
In the case where there is no connection request from the wireless terminal 21 within the validity period and authentication acceptance is not determined, expiration of the validity period of the authentication is determined to invalidate the authentication information of the wireless terminal 21. As described above, by setting time limit for authentication and combining of determinations whether or not the received authentication information and registered authentication information coincide with each other and whether or not the validity period has elapsed, unauthorized access to the communication network 41 can be prevented.
To shorten the validity time in such a conventional technique is an effective way for preventing unauthorized use of the wireless terminal at the time of its theft or loss. However, expiration of the authentication validity period may occur frequently due to reasons other than the theft or loss. Accordingly, invalidation work of the authentication information becomes an everyday affair to increase the workload of an administrator who manages the authentication information. Further, the wireless terminal frequently becomes disabled due to the invalidation, interfering with everyday activities. As described above, the abovementioned conventional authentication system is an impractical one.
As another system for preventing unauthorized use of the wireless terminal, there are known a security system for a mobile wireless terminal, a mobile wireless terminal, and a recording medium storing a security program (see Patent Document 2 (JP-2001-346257-A)).
However, the authentication method for a wireless terminal, wireless base station, and communication system disclosed in Patent Document 1 employs an authentication system obtained by combining authentication information and terminal ID, so that if the wireless terminal is stolen, unauthorized use of the wireless terminal cannot be prevented.
Further, the security system for a mobile wireless terminal, mobile wireless terminal, and recording medium storing a security program disclosed in Patent Document 2 prevents the unauthorized use by utilizing authentication information associated with wireless terminal unique information and by periodically changing authentication information to be input by a user. However, in the case where program update or data update in a business terminal needs to be performed through a communication network at night in an unmanned manner, authentication information cannot be input due to unmanned operation.
Thus, in the conventional wireless terminal authentication system that rejects authentication according to the set validity period or confirms the validity of authentication based on the ID/password input operation of a user, an effective means of preventing unauthorized use of the wireless terminal at the time of its theft or loss and preventing unauthorized use in a wireless terminal for business use allowing unmanned operation has not been established.